Today, individuals and institutions in science and industry are increasingly forming virtual organizations to pool resources and tackle a common goal. In one example, the National Science Foundation\'s Partnerships for Advanced Computational Infrastructure program provide a next-generation infrastructure for computational science. PACIs, relatively large and long-lived virtual organizations funded for five to ten years, link some 50 institutions and thousands of researchers. Other virtual organizations, however, may be smaller and more fleeting. Participants in virtual organizations commonly need to share resources such as data archives, computer cycles, and networks�resources usually available only with restrictions based on the requested resource\'s nature and the user\'s identity. Thus, any sharing mechanism must have the ability to authenticate the user\'s identity and determine if the user is authorized to request the resource. Virtual organizations tend to be fluid, however, so authentication mechanisms must be flexible and lightweight, allowing administrators to quickly establish and change resource-sharing arrangements. However, because virtual organizations complement rather than replace existing institutions, sharing mechanisms cannot change local policies and must allow individual institutions to maintain control over their own resources. Our group has createad and deployed an authentication and authorization infrastructure that meets these requirements: the Grid Security Infrastructure. GSI offers secure single sign-ons and preserves site control over access policies and local security. It provides its own versions of common applications, such as FTP and remote login, and a programming interface for creating secure applications. Dozens of supercomputers and storage systems already use GSI, a level of acceptance reached by fefw other security infrastructures.